Risk Assessment (c)(iii) and (d) Flashcards Preview

CITP > Risk Assessment (c)(iii) and (d) > Flashcards

Flashcards in Risk Assessment (c)(iii) and (d) Deck (9):

What is a "Walkthrough"?

- Act of tracing a transaction through org records, procedure and business processes
- Auditor's objective is to understand transaction flow (how initiated, authorized, recorded, processed, and reported)
- ID when control is missing, operating ineffectively or not designed properly
- Nontechnical approach to learning how a particular process or transaction works
- Considered a prelim step in overall testing process
- Based on the info and evidence gathered from walkthroughs, IT auditor s/b able to assess risks w/ business processes and controls relate to IT


What are may be included in "Walkthrough" procedures?

Combination of:
- Inquiry
- Observation
- Inspect relevant doc
- Re-perform controls

- Auditor should follow AS5 recommendations about combining
observation, inquiry, and review of relevant documents as part of the walkthrough


When are "Walkthrough" required?

- Required when certifying financial reporting controls under SOX 404


Based on concept of "Key Controls", when do Controls become "Relevant"?

(1) If controls are associated w/ FS data or financial reporting processes
(2) If controls are IT-related or IT-dependent
(3) If controls are related to RMM


What are 2 focus IT Auditor has on Automated Controls?

(1) Automated controls are key objective in IT audit
(2) Effective automated controls can be leveraged to reduce substantive testing in FAP phase of financial audit
- Automated controls s/b tested when there is an expectation of operating effectiveness for them, when substantive procedures alone do not provide sufficient evidence, and when there is a
lack of audit trail other than through IT or digital data


What are methods to ID Key Controls?

- IT auditor ID's key controls associated w/ relevant systems, applications, and specifically business processes
- Methods: Walkthroughs, interviews, observation, review of key documents, flowchart of business processes, financial systems and data flows


Determine Relevant Business Processes and Controls to Review

(1) IT auditor ID's Key Controls
- Associated w/ relevant systems, applications, and specifically business processes via walkthroughs, flowcharts
(2) ID Relevant Controls Embedded in Automated Business Processes
(3) Benchmark Relevant Automated Controls
- Measure and evaluate the “strength” (reliance) of control based on benchmark (the designed purpose of the control)


What is "Risk of Material Misstatement"?

- RMM = IR + CR
- Risk that an event, process or activity will lead to material misstatement and not be prevented/detected timely
- Includes acct balances, classes of transactions, disclosures, mgmt assertions
- Also includes risks from IT of entity


Describe the 6 Steps in the "RMM Process" Framework:

(1) ID IR - Some IR w/ processes, transactions, and events
(2) Type of Risk - Error or fraud
(3) Risk Level
- Relevant assertion regarding the IR or FS as a whole
(4) Controls - ID controls that may mitigate some IR
(5) CR Assessed
- Determine mitigation degree
- Auditor reduces original IR level by some amt and reaches some "Residual" risk
- Residual risk, and its level of risk, becomes primary factor in audit planning and developing FAPs
(6) RMM
- Combine IR and CR to determine level of risk for each specific RMM